HIPAA’s privacy rule requires that physicians inform each patient of their privacy practices in a written notice and make a good faith effort to get written confirmation from the patients of the receipt of that information. Physicians who are members of a hospital medical staff that has formed an "Organized Health Care Arrangement" do not have to present each patient they see in the hospital with a privacy notice, as they are covered by the hospital’s notice of privacy practices. The hospital’s notice is valid only for inpatient medical services. If a patient treated at the hospital goes to the physician’s office afterward for treatment, the physician must then provide the patient with a notice of privacy practices and get written acknowledgment from the patient of receipt of the notice.

The U.S. Department of Health and Human Services has set April 14, 2003, as the deadline for "covered entities" to comply with HIPAA’s privacy rules.

CMA’s HIPAA ToolKit CD-ROM has a template for a privacy-practices notice along with all other required forms for HIPAA compliance.